Smart Contract Risk – Who You Gonna Call? – Solidified

Smart contracts are rapidly becoming part of the legal world, yet there remain several key issues that lawyers and their clients have to face. One critical issue is whether the smart contract’s coded elements, that you, a third party developer, or the client have created, actually work as intended and are truly secure. This can be made more risky by the rise of smart contract templates that people buy without necessarily understanding the underlying code, which is often in the Solidity programming language.

If the code doesn’t work as intended in a contract or it is ‘hacked’ in some way, then, to put it mildly, all Hell could break loose. Imagine a derivatives smart contract placed on a blockchain that is either mis-coded or ‘malfunctions’ and makes a bank pay out billions of dollars every few minutes, instead of a few thousand dollars on a one off basis. Or, imagine a smart contract that locks you out of your rented house, car or certain services because information it has received from an IoT device has been misinterpreted by its coded elements? The list goes on.

Automating the execution of a contract is an amazing feat of technology, but naturally it has to work as expected. As with any powerful new technology, there are risks that need to be addressed head on. One way to address these risks is to ‘audit’ the smart contract before it goes live. In effect this is a technical review to make sure the coded elements are really going to perform as planned. (Such contracts also need a legal audit, but that’s another story.)

Artificial Lawyer caught up with Eduard Kotysh, founder of Solidified, one of a handful of new companies offering clients the ability to perform a smart contract audit, in this case by tapping a community of experts. Kotysh explained what his platform, which is still developing, is all about, and how it may prove integral to the adoption of this technology in the wider market.

First, can you tell the readers a little bit about how Solidified got started? What was the inspiration?

Eduard Kotysh, Solidified

When I first picked up the book on Ethereum by Henning Diedrich, I was consumed by the following phrase: ‘For contracts to become really powerful, the development of an ecosystem is required, where contract code itself is screened by trusted, knowledgeable members of society.’

As a software architect myself, I could really relate to this statement, but I also thought: It’s kind of funny to talk about trusted members of society in a decentralized system.

What if we open up the audit to the entire community instead of relying on a few individual players like Zeppelin or New Alchemy. This way you put it at the level of a community’s trust and make it more affordable, more like how the blockchain works. Thus, Solidified was born.

It seems that the world of smart contracts has hit a period of huge expansion, why is this? Why now? What’s driving this?

I think there are 2 main contributing factors:

First, the technology is maturing, signaling trust. The underlying blockchain protocols work well, giving faith to write smart contracts on top of something solid. People see the technology works and start getting curious about how it can be applied, thus giving birth to new ideas and projects. Forks are happening to improve the scalability and underlying language constructs, while tooling is improving to aid the developers. This attracts curious engineers from other backgrounds and retains existing ones.

Secondly, the ecosystem has gathered enough momentum with the media and events worldwide to hit a critical mass to go viral, with word of mouth spreading it like wildfire. I don’t know a developer who hasn’t heard about the blockchain. This produced an effect known as FOMO (Fear of Missing Out), as many see early opportunities and a large amount of money revolving in the space, attracting both developers and investors.

Solidified is providing smart contract auditing, which seems like a vital service, given that no-one wants a contract to self-execute incorrectly. What are the key things you are looking out for? And what are the main risks in terms of faults in a smart contract?

Our goal is to put your contract in front of as many trained eyes as possible, minimizing the chance that a bug can slip through. There are many common known attack vectors in smart contracts that have been exposed, such as re-entrancy with The DAO,delegation mistakes with Parity wallet, or something as simple as missing input validation; however, many of these vulnerabilities have not been known prior to being exposed by attackers. In other words, at the time, they were Zero-day exploits.

This puts automated verification tools at a significant disadvantage, since they tend to look for known patterns. Because of that, I strongly believe that even a year from now, it will require a wide net of trained human brains and a large incentive to catch new attack vectors during an audit. It’s a race between white hats and black hats to find Zero-day exploits in contracts, and Solidified is providing a platform to aid the good guys.

Whether you’re running a tokensale, a wallet service, or an energy tracking platform, your smart contracts govern assets, and it is your responsibility to do as comprehensive an audit as possible when 300 lines of code control millions of dollars.

There are now several start-ups offering template smart contracts that promise ‘no need to code, no need to know Solidify’. What is your view of these?

While reliable parts are great, these base template contracts tend to be fairly generic in nature. For example, the token factory can make ERC20s from a template with a few inputs. It’s a good learning base of best practices for a beginner, but an innovative project is not likely to emerge simply from a template-driven system that generates source code with a few string substitutions.

Innovative projects tend to be born in the heat of idea inspiration and coding the night away, where intent of execution is original thinking and doesn’t come from a template.

You have to also be careful with regards to intended execution of your project. The templated contracts are designed with specific goals and correctness in mind that may not necessarily reflect or verify the intended behavior you are trying to achieve.

In terms of clients, are big companies, banks and insurance companies showing an interest, or are clients coming from the blockchain/start-up community?

We’re getting signups from a wide array of industries, including Fintech, Insurance, Healthcare, Law, Agriculture, Gambling, Governance and others. They tend to be new innovative platforms of small-to-medium size preparing to deploy to Ethereum. We’re also seeing a large share of signups coming to audit their tokensale contracts, as expected.

There are now several law firms forming smart contract/blockchain consortia, often to agree on standards, meanwhile many in the blockchain community are running ahead and just placing contracts on Ethereum or other blockchains without worrying too much about legal issues, such as compliance with local law, or how to resolve a dispute. Do you think everyone should slow down a bit?

The Solidified user interface

As technology gets adopted, it’s obvious that government regulations will set in and legal standards will form. This signals acceptance by authorities and large organizations, which will seek a way to control and regulate the new thing, so it doesn’t create a disruption to an already established system. In a sense, finding a way to integrate it into the world we live in.

In my experience, most honest teams recognize that compliance with local regulations is mandatory and novel technology doesn’t change this fact of life. Some teams will place a higher premium on first-mover advantage while others will take a more conservative approach and await improved clarity.

And lastly, we are seeing so much great creativity and now mainstream uptake of smart contracts, e.g. AXA’s flight delay insurance smart contract policy. Where do you think we’ll be in terms of wider adoption in the next few years?

As adoption continues, a larger community will form around smart contract development. This community has a lot of potential to be cross-functional, composed of developers, lawyers, data scientists and more. Many partnerships are being formed to create such powerful cross-functional communities and drive the innovation forward.

The underlying technology will keep getting more stable and mature with many bright minds working on solving scalability challenges. The infrastructure projects that are being put in place now will become major players in a few years.

Additionally, instead of pouring everything into the blockchain, people will start recognizing what it’s good for and what it’s not, and start being more selective. While this adoption grows, audit platforms like Solidified will continue to increase in demand in order to support the rising number of blockchain-based solutions.

[N.B. If you’d like to read the White Paper by Solidified, please check it out here. ]